ssh default security risc
Giorgos Keramidas
keramida at ceid.upatras.gr
Fri Feb 4 00:09:06 PST 2005
On 2005-02-03 22:54, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
>Giorgos Keramidas wrote:
>>On 2005-02-04 01:04, Gert Cuykens <gert.cuykens at gmail.com> wrote:
>>> On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins
>>> <chodgins at cis.strath.ac.uk> wrote:
>>> True but the point is without the ssh root enabled there is
>>> nothing you can do about it to stop them if they change your user
>>> password
>>
>> [...]
>> You may also want to consider than having SSH enabled for root
>> means there is only ONE step at becoming root from any remote
>> location.
>>
>> Having to SSH as a user first, with the right combination of SSH
>> keys and passwords, and then use su(1) with yet another password is
>> at least one more step.
>>
>> Why is the first, 1-step procedure safer than the second?
>
> I think I'm going to interject a few things here to this discussion,
> which has turned into a rediculous religious argument.
>
> In answer to your question about a 1-step procedure safer than the
> second, well as a matter of fact there are circumstances when it is.
> For example:
>
> [snip great advice about securing ssh access]
I was (perhaps not so) obviously referring to "all other things being
equal, allowing ssh access to a plain user is safer than allowing
direct ssh access to root.
All great points, though. Thanks Ted.
- Giorgos
More information about the freebsd-questions
mailing list